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MEMORANDUM  FOR  DIRECTOR,  DEFENSE  LOGISTICS  AGENCY 

SUBJECT:  Quality  Control  Review  of  the  Defense  Logistics  Agency  Audit  Organization 
(Report  No.  DODIG-2015-054] 

We  are  providing  this  report  for  your  information  and  use.  We  reviewed  the  Defense  Logistics 
Agency  [DLA],  Office  of  the  Inspector  General  [OIG]  audit  organization's  system  of  quality 
control  in  effect  for  the  period  ended  September  30,  2013.  A  system  of  quality  control  for  the 
DLA  OIG's  audit  organization  encompasses  the  audit  organization's  leadership,  emphasis  on 
performing  high  quality  work,  and  policies  and  procedures  established  to  provide  reasonable 
assurance  of  compliance  with  generally  accepted  government  auditing  standards  [GAGAS]. 

The  DLA  OIG's  audit  organization  is  responsible  for  designing  a  system  of  quality  control  and 
complying  with  its  system  to  provide  DLA  management  with  reasonable  assurance  that  its 
audits  are  performed  and  reported  in  accordance  with  GAGAS  in  all  material  respects.  We 
conducted  this  quality  control  review  in  accordance  with  the  Council  of  the  Inspectors  General 
on  Integrity  and  Efficiency  (CIGIE]  Quality  Standards  for  Inspection  and  Evaluation. 

Since  their  last  quality  control  review,  for  the  period  ended  May  31,  2010,  the  DLA  OIG  audit 
organization  has  made  substantial  changes  to  improve  its  audit  operations.  For  example, 
the  DLA  OIG  implemented  official  policies  and  procedures,  which  all  auditors  are  required  to 
follow,  and  established  an  internal  quality  assurance  division  that  performs  ongoing,  periodic 
assessments  of  work  completed  on  audits. 

We  tested  the  DLA  OIG  audit  organization's  system  of  quality  control  to  the  extent  we 
considered  appropriate.  GAGAS  require  that  an  audit  organization  performing  audits  or 
attestation  engagements  or  both  have  an  appropriate  internal  quality  control  system  in  place 
and  undergo  an  external  quality  control  review  at  least  once  every  3  years  by  reviewers 
independent  of  the  audit  organization  being  reviewed.  An  audit  organization's  quality  control 
policies  and  procedures  should  be  appropriately  comprehensive  and  suitably  designed  to 
provide  reasonable  assurance  that  they  meet  GAGAS  requirements  for  quality  control. 

Federal  audit  organizations  can  receive  a  rating  of  pass,  pass  with  deficiencies,  or  fail.  We 
noted  deficiencies  related  to  the  audit  organization's  design  of  and  compliance  with  its 
system  of  quality  control  that  could  create  a  situation  in  which  the  DLA  OIG  would  have  less 
than  reasonable  assurance  of  performing  and/or  reporting  in  conformity  with  applicable 
professional  standards  in  one  or  more  important  respects.  Accordingly,  we  are  issuing 
a  pass  with  deficiencies  opinion  on  the  DLA  OIG  audit  organization  for  the  period  ended 
September  30,  2013. 
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Appendix  A  discusses  our  review  of  the  DLA  OIG  audit  organization's  system  of  quality  control 
and  Appendix  B  contains  the  matters  that  resulted  in  the  pass  with  deficiencies  opinion. 

In  addition,  Appendix  C  contains  other  findings  where  the  DLA  OIG  audit  organization  can 
improve  its  quality  control  program  related  to  auditing  practices.  Appendix  D  contains  a 
summary  of  the  results  of  our  interviews  with  the  DLA  OIG  audit  staff.  Appendix  E  contains 
the  scope  and  methodology  of  the  review. 

We  appreciate  the  courtesies  extended  to  the  staff.  For  additional  information  on  this 
report,  please  contact  Ms.  Carolyn  R.  Davis  at  (703]  604-8877  (DSN  664-8877]  or 

Carolyn.Davis@dodig.mil. 


Randolph  R.  Stone 
Deputy  Inspector  General 
Policy  and  Oversight 
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Introduction 


Introduction 


Defense  Logistics  Agency 

The  Defense  Logistics  Agency  [DLA]  is  the  Department  of  Defense's  largest  logistics 
combat  support  agency,  providing  worldwide  logistics  support  in  both  peacetime 
and  wartime  to  the  military  services  as  well  as  several  civilian  agencies,  state  and 
local  governments,  and  foreign  countries.  DLA  is  headquartered  at  Fort  Belvoir  in 
Northern  Virginia  and  had  $39  billion  in  FY  2013  sales  and  revenues.  DLA  employs 
more  than  25,500  employees,  supports  roughly  2,400  weapon  systems,  and 
manages  9  supply  chains  and  nearly  6  million  items.  DLA  operates  in  48  states 
and  28  countries,  and  processes  more  than  98,000  requisitions  and  more  than 
9,000  contract  actions  a  day.  DLA  supports  humanitarian  relief  efforts  within  the 
United  States  and  abroad,  provides  logistics  support  to  other  Federal  agencies,  and 
had  FY  2013  foreign  military  sales  of  about  $2.1  billion,  supporting  113  nations. 

DLA  Audit  Organization 

The  DLA  audit  organization  is  located  within  the  Office  of  the  Inspector 
General  (OIG],  which  is  headquartered  at  Fort  Belvoir,  Virginia.  The  DLA  OIG, 
formerly  the  DLA  Accountability  Office,  was  established  in  April  2011.  The  mission 
of  the  DLA  OIG  is  to  provide  independent,  relevant,  effective,  and  timely  audit  and 
investigative  services  to: 

•  support  warfighters  worldwide, 

•  provide  the  DLA  Director  with  facts  and  recommendations, 

•  help  mitigate  risk  and  reduce  vulnerability  to  crime, 

•  promote  accountability  and  integrity, 

•  ensure  compliance  with  public  law  and  DoD  policies,  and 

•  improve  the  effectiveness  and  efficiency  of  DLA's  processes  and  systems. 

In  addition  to  the  audit  staff  at  DLA  Headquarters,  the  audit  organization  has  staff 
members  at  offices  located  in  Richmond,  Virginia;  Philadelphia,  Pennsylvania; 

New  Cumberland,  Pennsylvania;  Columbus,  Ohio;  and  Battle  Creek,  Michigan. 
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Appendix  A 

System  of  Quality  Control 

With  the  exception  of  one  area,  the  DLA  OIG  audit  organization's  system  of  quality 
control  was  suitably  designed.  Since  their  last  quality  control  review  for  the  period 
ended  May  31,  2010,  the  DLA  OIG  addressed  our  recommendation  to  implement 
official  policies  and  procedures,  which  all  auditors  are  required  to  follow. 

The  DLA  OIG  audit  organization  established  its  comprehensive  quality  control 
system  in  the  DLA  OIG  Quality  Control  and  Assurance  Procedures  (QCAP).  The  DLA 
OIG  audit  organization  performed  work  and  issued  reports  covered  in  our  review 
pursuant  to  the  July  15,  2011,  and  April  18,  2012,  versions  of  the  QCAP. 

In  one  area,  the  QCAP  did  not  contain  specific  policies  and  procedures  in  relation  to 
ensuring  that  audits  and  attestation  engagements  comply  with  generally  accepted 
government  auditing  standards  (GAGAS],  The  QCAP  did  not  contain  procedures  for 
evaluating  the  impact  of  previously  performed  nonaudit  services  on  the  auditors' 
independence  on  a  prospective  or  current  engagement  and  for  addressing  any 
threats  identified.  Adding  policies  and  procedures  to  the  QCAP  for  this  area  will 
assist  DLA  OIG  management  in  ensuring  that  auditors  are  fully  aware  of  their 
responsibilities  when  performing  work  in  accordance  with  GAGAS. 

Recommendations,  Management  Comments,  and 
Our  Response 

Recommendation  1 

We  recommend  the  Inspector  General,  DLA,  update  the  QCAP  to  include 
policies  and  procedures  that  explain  how  to  (1)  evaluate  the  impact  of 
previously  performed  nonaudit  services  on  the  auditors'  independence  on  a 
prospective  or  current  engagement  and  (2)  address  any  threats  identified. 

DLA  Comments: 

The  Inspector  General,  DLA  concurred.  Additional  guidance  will  be  added  to  the 
DLA  Quality  Control  and  Assurance  Procedures  [QCAP]  to  evaluate  the  impact 
of  previously  performed  non-audit  services  on  auditors'  independence  on  a 
prospective  or  current  engagement.  If  significant  threats  are  identified,  appropriate 
mitigating  controls  will  be  incorporated  into  the  audit  plan. 

Our  Response: 

DLA  comments  were  responsive  to  the  recommendation.  No  additional  comments 
are  needed. 
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Appendix  B 

Deficiencies  That  Provide  the  Basis  for  the 
Opinion  Rendered 

We  identified  deficiencies  related  to  the  audit  organization's  design  of  and 
compliance  with  its  system  of  quality  control  that  could  create  a  situation  in 
which  the  DLA  OIG  would  have  less  than  reasonable  assurance  of  performing  and/ 
or  reporting  in  conformity  with  applicable  professional  standards  in  one  or  more 
important  respects.1  Deficiencies  were  identified  in  the  areas  of  professional 
judgment,  supervision,  planning,  and  audit  evidence  and  documentation.  In  some 
instances,  the  deficiencies  identified  limited  the  reliability  of  two  of  the  six  audit 
reports  we  reviewed. 

We  assessed  three  of  the  six  audit  reports  in  our  sample  for  compliance  with 
the  2007  revision  of  GAGAS  because  those  audits  began  before  the  GAGAS  2011 
requirements  were  implemented.  However,  we  identified  issues  that  are  still 
applicable  even  when  we  applied  the  2011  revisions  of  GAGAS. 

The  following  deficiencies  affected  our  opinion  on  the  DLA  OIG  audit  function's 
compliance  with  its  system  of  quality  control. 

•  In  relation  to  three  of  the  audits  reviewed,  the  DLA  OIG  audit  function 
did  not  exercise  sufficient  professional  judgment  as  evidenced  by 
noncompliance  with  GAGAS  and  its  system  of  quality  control. 

•  Inadequate  supervision  was  evident  on  three  audits,  which  contributed  to 
noncompliance  with  GAGAS  and  internal  audit  policies  and  procedures. 

•  The  reliability  of  two  audit  reports  was  limited  because: 

o  Auditors  did  not  evaluate  the  effectiveness  of  significant 
information  systems  controls  when  they  were  determined  to 
be  significant  to  the  audit  objectives.  This  included  not  gaining 
an  understanding  of  the  system  as  it  relates  to  the  information 
and  identifying  and  evaluating  the  general,  application,  and  user 
controls  that  are  critical  to  providing  assurance  over  the  reliability 
of  the  information  required  for  the  audit  (Planning], 

o  Auditors  did  not  obtain  assurance  over  the  reliability  of  the 
information  when  they  used  information  provided  by  officials 
of  the  audited  entity  as  part  of  their  evidence  (Audit  Evidence 
and  Documentation]. 


1  The  deficiencies  identified  did  not  rise  to  the  level  of  a  significant  deficiency  because  they  were  not  systemic,  and  taken 
as  a  whole,  were  not  significant  enough  to  affect  the  DLA  OIG's  reasonable  assurance  of  performing  and/or  reporting  in 
conformity  with  applicable  professional  standards  in  all  material  respects. 
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o  Auditors  did  not  assess  the  reliability  of  computer-processed  data 
(Audit  Evidence  and  Documentation], 

o  Auditors  did  not  obtain  sufficient,  appropriate  evidence  to  provide 
a  reasonable  basis  for  their  findings  and  conclusions  (Audit 
Evidence  and  Documentation], 

These  deficiencies  provided  the  basis  for  the  opinion  rendered.  Implementing 
the  recommendations  identified  in  this  report  would  assist  the  DLA  OIG  efforts 
in  improving  its  audit  organization's  system  of  quality  control  and  help  increase 
compliance  with  GAGAS  requirements. 

Professional  Judgment 

The  DLA  OIG  Audit  Organization  Did  Not  Exercise  Professional 
Judgment  in  Planning  and  Performing  Audits  and  in 
Reporting  the  Results 

GAGAS  3.31  (2007  revision]  and  3.60  (2011  revision]  state  that  auditors  must 
use  professional  judgment  in  planning  and  performing  audits  and  in  reporting 
the  results.  GAGAS  3.35  (2007  revision]  and  3.64  (2011  revision]  state  using 
professional  judgment  is  important  to  auditors  in  carrying  out  all  aspects  of  their 
professional  responsibilities,  including  maintaining  objectivity  and  credibility; 
defining  the  scope  of  work;  evaluating,  documenting,  and  reporting  the  results  of 
the  work;  and  maintaining  appropriate  quality  control  over  the  assignment/audit 
process.  The  QCAP  requires  that  when  stating  that  their  work  is  conducted  in 
accordance  with  GAGAS,  DLA  OIG  auditors  must  use  professional  judgment  in 
planning  and  performing  audits  and  in  reporting  the  results.  We  determined  that 
for  three  of  the  six  of  audits  reviewed,  the  DLA  OIG  audit  function  did  not  exercise 
professional  judgment  due  to  the  array  of  noncompliances  found  in  the  majority  of 
auditing  standards  areas  including:  planning,  supervision,  evidence,  documentation, 
reporting,  and  the  use  and  application  of  GAGAS.  The  GAGAS  areas  where  the  audit 
organization  lacked  professional  judgment  for  the  three  projects  are  included  in 
Table  B-l  and  discussed  in  detail  throughout  this  report. 
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Table  B-l.  DLA  OIG  Audit  Organization’s  Noncompliances  with  GAGAS 
and  System  of  Quality  Control 


Audits  Reviewed  (By 
Report  Number) 

Planning 

Audit 

Evidence  and 
Documentation 

Supervision 

Reporting 

Quality 

Control 

Audit  of  DLA  Disposition 
Services  Contingency 
Operations  in 

Afghanistan 

(Report  No.  DAO-12-07) 

X 

X 

X 

X 

X 

Audit  of  Real  Property 
Additions,  Disposals, 
and  Construction-In- 
Progress  (Report  No. 
DAF-12-15)* 

X 

X 

X 

X 

X 

Audit  of  the 

Sustainment, 

Restoration,  and 
Modernization  (SRM) 
Program  -  Europe 
(Report  No.  DLA  OIG 
FY14-04) 

X 

X 

X 

X 

*  The  audit  report  for  this  project  was  rescinded  during  this  review  after  the  DLA  OIG  Quality 
Assurance  Division  identified  significant  issues  that  required  immediate  attention.  The 
significant  issues  included  a  lack  of  an  evaluation  of  information  systems  control  effectiveness 
and  recommendations  that  did  not  flow  logically  from  the  findings  and/or  were  not  directed  at 
resolving  the  root  causes  of  the  reported  findings.  The  DoD  OIG  decided  to  continue  to  review 
the  project;  it  remained  in  the  sample  of  projects  to  review. 

Table  B-l  depicts  deficiencies  and  other  findings  in  multiple  standards  areas, 
which  evidences  a  lack  of  professional  judgment  as  defined  in  GAGAS  3.31  and 
3.35  (2007  revision]  and  GAGAS  3.60  and  3.64  (2011  revision].  This  table 
also  includes  noncompliances  discussed  in  Appendix  C  to  capture  the  lack  of 
professional  judgment  in  all  aspects  related  to  the  professional  responsibilities  of 
DLA  OIG  auditors. 

Supervision 

Inadequate  Supervision 

For  three  of  the  six  projects  reviewed,  inadequate  supervision  contributed  to  the 
deficiencies  associated  with  each  project.  There  was  inadequate  supervision  during 
the  planning  phase  of  audits,  compilation  of  audit  evidence  and  documentation,  and 
reporting  the  results.  Based  on  discussions  with  audit  management,  we  believe 
adequate  supervisory  reviews  could  have  detected  the  deficiencies  and  presented 
opportunities  for  the  audit  staff  to  correct  them  prior  to  working  papers  being 
finalized  and  the  audit  reports  being  issued. 
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GAGAS  7.53  (2007  revision]  and  6.54  (2011  revision]  state  that  audit  supervision 
involves  providing  sufficient  guidance  and  direction  to  staff  assigned  to  the  audit 
to  address  the  audit  objectives  and  applicable  requirements,  while  staying  informed 
about  significant  problems  encountered,  and  reviewing  the  work  performed.  The 
QCAP  states  that  throughout  the  audit,  audit  managers  must  properly  supervise 
audit  staff  and  that  the  audit  manager  and  Auditor  in  Charge  (AIC]  are  the  key 
audit  positions  responsible  for  ensuring  the  audit  documentation  is  in  compliance 
with  the  QCAP.  Tables  B-2,  B-3,  and  B-4  summarize  the  supervisory  deficiencies 
and  noncompliances  with  the  QCAP  among  the  three  projects. 


B-2.  Audit  Planning 


Audit  Project(s)  Deficiency  QCAP  Guidance 


1. )  Audit  of  DLA  Disposition 
Services  Contingency 
Operations  in  Afghanistan 
(Project  Code  DAO-12-07) 

2. )  Audit  of  Real  Property 
Additions,  Disposals  and 
Construction-in-Progress 
(Project  Code  DAF-12-15) 


Auditors  did  not  always  obtain 
an  understanding  of  and 
evaluate  information  systems 
controls  and  their  design  and 
effectiveness  significant  to 
the  audit  objectives. 


If  the  information  systems 
controls  are  determined 
significant  to  the  audit 
objectives,  auditors  should 
evaluate  the  design  and 
operational  effectiveness 
of  such  controls.  Audit 
procedures  to  evaluate  the 
effectiveness  of  significant 
information  systems  controls 
include: 

A.  Gaining  an  understanding 
of  the  system  as  it  relates  to 
the  information. 

B.  Identifying  and  evaluating 
the  general  and  application 
controls  that  are  critical  to 
providing  assurance  over  the 
reliability  of  the  information 
required  for  the  audit. 
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B-3.  Compiling  Audit  Evidence  and  Documentation 


Audit  Project(s) 

Deficiency 

QCAP  Guidance 

Audit  of  the  SRM  Program  - 
Europe  (Project  Code  DAO-ll-Ol) 

1. )  Audit  documentation 
did  not  support  findings 
and  conclusions  that  were 
included  in  the  audit 
reports. 

2. )  Audit  documentation 
was  not  prepared  in 
sufficient  detail,  and 

in  some  instances,  the 
documentation  was 
in  conflict  with  other 
documentation  within  the 
project  and  the  audit  report. 

1. )  Audit  documentation 
provides  a  record  of 
the  work  performed 
and  should  support  the 
auditor's  findings,  opinions, 
conclusions. 

2. )  Auditors  must  prepare 
audit  documentation 

for  each  audit  in  sufficient 
detail  to  provide  a  clear 
understanding  of  the 
work  performed  (including 
the  nature,  timing,  extent, 
and  results  of  audit 
procedures  performed),  the 
audit  evidence  obtained 
and  its  source,  and  the 
conclusions  reached. 

Audit  of  DLA  Disposition  Services 
Contingency  Operations  in 
Afghanistan  (Project  Code  DAO- 
12-07) 

Auditors  did  not  obtain 
assurance  over  the  reliability 
of  information  provided  by 
auditee  officials  and  relied 
upon  by  the  auditors  as  part 
of  their  evidence. 

Auditors  must  consider  the 
reliability  of  documentary 
evidence.  Although  most 
documents  received  from 
the  organization  would  be 
difficult  to  alter  without 
detection,  auditors  must 
consider  this  possibility 
and  examine  the 
documents  carefully. 

1. )  Audit  of  Real  Property 
Additions,  Disposals  and 
Construction-in- Progress 
(Project  Code  DAF-12-15) 

2. )  Audit  of  DLA  Disposition 
Services  Contingency  Operations 
in  Afghanistan  (Project  Code 
DAO-12-07) 

Auditors  did  not  assess 
the  sufficiency  and 
appropriateness  of 
computer-processed 
information. 

Auditors  should  assess 
the  sufficiency  and 
appropriateness  of 
computer  processed 
information,  regardless  of 
whether  this  information  is 
provided  to  auditors  or  they 
extract  it  independently. 

The  assessment  of 
the  sufficiency  and 
appropriateness  includes 
considerations  regarding 
the  completeness  and 
accuracy  of  the  data  for 
the  intended  purposes.  A 
data  reliability  assessment 
should  be  performed  for 
computer-processed  data 
that  materially  support 
findings,  conclusions,  or 
recommendations. 
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B-4.  Reporting  the  Results 


Audit  Project(s) 

Deficiency 

QCAP  Guidance 

1. )  Audit  of  DLA  Disposition 

Services  Contingency 

Operations  in  Afghanistan 
(Project  Code  DAO-12-07) 

2. )  Audit  of  the  SRM  Program - 
Europe  (Project  Code  DAO-11-01) 

Auditors  did  not  describe 
the  sample  design  and  state 
why  the  design  was  chosen, 
including  whether  the 
results  can  be  projected  to 
the  intended  population. 

If  the  report  relies  on  a 
sample,  a  description  of 
the  methodology  used  to 
select  the  sample  must  be 
contained  in  the  scope  and 
methodology  section. 

1. )  Audit  of  Real  Property 

Additions,  Disposals  and 
Construction-in- Progress 
(Project  Code  DAF-12-15) 

2. )  Audit  of  the  SRM  Program - 
Europe 

(Project  Code  DAO-11-01) 

Recommendations  did  not 
flow  logically  from  the 
findings  and  conclusions. 

Recommendations  are  most 
effective  when  they  are 
specific  and  practical. 

Audit  of  the  SRM  Program  - 
Europe  (Project  Code  DAO-ll-Ol) 

No  recommend  actions 
to  correct  a  deficiency 
identified  during  the  audit 
and  to  improve  programs 
and  operations  when  the 
potential  for  improvement 
in  programs,  operations, 
and  performance  was 
substantiated  by  the 
reported  findings  and 
conclusions. 

The  audit  report  documents 
and  communicates  the 
deficiencies  needing  action, 
recommends  the  needed 
corrective  action,  and 
identifies  who  should  take 
the  action. 

Audit  of  the  SRM  Program  - 
Europe  (Project  Code  DAO-ll-Ol) 

Auditors  did  not  evaluate 
the  validity  of  the  audited 
entity's  comments  when 
the  comments  were  in 
conflict  with  the  findings 
and  conclusions  in  the 
draft  report. 

Briefly  summarize 
management  comments 
and  include  an  evaluation 
of  these  comments  in  the 
body  of  the  audit  report. 

Planning 

Auditors  Did  Not  Evaluate  the  Effectiveness  of  Significant 
Information  Systems  Controls 

For  two  of  the  six  projects  reviewed,  auditors  did  not  evaluate  the  effectiveness 
of  significant  information  systems  controls  that  were  needed  to  obtain  sufficient, 
appropriate  evidence  to  support  the  audit  findings  and  conclusions.  As  a 
result,  there  was  a  lack  of  assurance  that  the  information  required  for  the  audit 
was  reliable. 

GAGAS  6.25  (2011  revision]  states  that  audit  procedures  to  evaluate  the 
effectiveness  of  significant  information  systems  controls  include:  [1]  gaining  an 
understanding  of  the  system  as  it  relates  to  the  information  and  [2]  identifying 
and  evaluating  the  general,  application,  and  user  controls  that  are  critical  to 
providing  assurance  over  the  reliability  of  the  information  required  for  the  audit. 
The  QCAP  states  that  DLA  auditors  are  responsible  for  obtaining  and  documenting 
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a  sufficient  understanding  of  information  system  controls  in  order  to  assess  audit 
risk  and  develop  audit  objectives.  Information  system  controls  are  significant 
if  their  effectiveness  is  necessary  to  obtain  sufficient,  appropriate  evidence  to 
support  the  audit  objectives. 

For  the  Audit  of  DLA  Disposition  Services  Contingency  Operations  in  Afghanistan, 
Report  No.  DAO-12-07,  there  was  no  audit  documentation  showing  the  auditors 
gained  an  understanding  about  the  Management  Information  Distribution  and 
Access  System  (MIDAS],  The  auditors  used  data  generated  from  MIDAS  to  analyze 
property  receipt  transaction  data  for  141  sample  items  at  3  sites  to  determine 
whether  the  audited  entity  had  sufficient  policies  and  controls  in  place  to 
accomplish  their  mission.  The  auditors'  analysis  yielded  two  types  of  discrepancies 
with  the  computer-generated  data  and  there  was  a  recommendation  for  corrective 
action.  However,  because  there  was  no  evaluation  of  the  effectiveness  of  controls 
over  MIDAS,  the  auditors  may  not  have  assessed  audit  risk  adequately,  potentially 
resulting  in  improper  or  incomplete  findings,  conclusions,  and  recommendations. 

For  the  Audit  of  Real  Property  Additions,  Disposals  and  Construction-in-Progress, 
Report  No.  DAF-12-15,  the  auditors  did  not  perform  information  systems  control 
testing  of  the  Enterprise  Business  System  [EBS]  although  they  relied  on  data 
generated  from  the  system.  The  auditors  did  not  perform  information  systems 
control  testing  because  they  assumed  the  information  generated  from  EBS  was 
accurate.  The  auditors  used  data  and  reports  generated  from  EBS  to  determine 
whether  real  property  additions  and  disposals  used  by  DLA  were  properly 
accounted  for  and  recorded.  The  DLA  OIG  identified  deficiencies  and  concluded 
the  deficiencies  may  have  represented  a  material  weakness  in  the  real  property 
and  financial  reporting  process.  Based  on  their  findings,  the  DLA  OIG  developed 
nine  recommendations.  In  March  2014,  the  DLA  OIG  rescinded  the  audit  report 
because  an  internal  quality  assurance  review  determined  the  audit  work  was 
deficient,  in  part,  because  the  audit  team  did  not  evaluate  the  effectiveness  of 
EBS's  controls. 

Audit  Evidence  and  Documentation 

Auditors  Did  Not  Assess  the  Reliability  of 
Computer-Processed  Data 

For  two  of  the  six  projects  reviewed,  auditors  did  not  assess  the  reliability  of 
computer-processed  data  that  materially  supported  their  findings,  conclusions, 
and  recommendations.  GAGAS  6.66  (2011  revision]  states  that  the  assessment  of 
the  sufficiency  and  appropriateness  of  computer-processed  information  includes 
considerations  regarding  the  completeness  and  accuracy  of  the  data  for  the 
intended  purposes.  The  QCAP  states  that  data  reliability  refers  to  the  accuracy 
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and  completeness  of  computer-processed  data,  given  the  intended  purposes  for  use. 
A  data  reliability  assessment  should  be  performed  for  computer-processed  data 
that  materially  support  findings,  conclusions,  or  recommendations.  Auditors  should 
refer  to  GAO's  Guide  GAO-09-680G  "Applied  Research  and  Methods:  Assessing  the 
Reliability  of  Computer-Processed  Data,”  July  2009,  for  a  framework  to  use  when 
designing  a  data  reliability  assessment. 

For  the  Audit  of  DLA  Disposition  Services  Contingency  Operations  in  Afghanistan, 
auditors  used  property  receipt  transaction  data  that  were  generated  from  MIDAS 
to  determine  whether  the  audited  entity  had  sufficient  policies  and  controls  in 
place  to  accomplish  its  mission.  The  auditors  determined  they  did  not  have  to 
assess  the  reliability  of  the  computer-generated  data  because  they  reviewed  source 
documentation  maintained  at  the  sites  to  develop  the  related  audit  conclusions. 

For  the  Audit  of  Real  Property  Additions,  Disposals  and  Construction-in-Progress, 
auditors  used  data  and  reports  generated  from  EBS  and  did  not  assess  the 
reliability  of  the  data  because  they  assumed  that  information  generated  from  the 
system  was  accurate. 

Auditors  Did  Not  Verify  the  Reliability  of  Information  That 
Was  Provided  by  Officials  of  the  Audited  Entity 

For  one  of  the  six  projects  reviewed,  auditors  did  not  verify  the  reliability  of 
the  information  when  the  information  was  provided  by  officials  of  the  audited 
entity  as  part  of  their  evidence.  GAGAS  6.65  (2011  revision]  states  that  when 
auditors  use  information  provided  by  officials  of  the  audited  entity  as  part  of  their 
evidence,  they  should  determine  what  the  officials  of  the  audited  entity  or  other 
auditors  did  to  obtain  assurance  over  the  reliability  of  the  information.  The  QCAP 
states  auditors  must  consider  the  reliability  of  documentary  evidence.  Although 
most  documents  received  from  the  audited  organization  would  be  difficult  to 
alter  without  detection,  auditors  must  consider  this  possibility  and  examine  the 
documents  carefully. 

For  the  Audit  of  DLA  Disposition  Services  Contingency  Operations  in  Afghanistan, 
the  auditors  reviewed  source  documentation  maintained  at  the  sites  to  develop  the 
related  audit  conclusions.  The  source  documentation  was  used  in  conjunction  with 
computer-processed  data  derived  from  MIDAS,  the  information  system  in  which 
the  auditors  did  not  gain  an  understanding  of  as  it  relates  to  the  information  or 
identify  and  evaluate  the  general,  application,  and  user  controls  that  are  critical  to 
providing  assurance  over  the  reliability  of  the  information  required  for  the  audit. 
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Lack  of  Sufficient  and  Appropriate  Evidence  to  Support  the 
Findings  and  Conclusions 

For  two  of  the  six  projects  reviewed,  the  auditors  did  not  have  sufficient  and 
appropriate  evidence  to  support  the  findings  and  conclusions  reported.  This 
determination  is  based  on  the  fact  that  the  auditors  did  not  assess  the  reliability 
of  computer-processed  data  that  materially  supported  their  findings,  conclusions, 
and  recommendations.  GAGAS  6.66  (2011  revision]  states  the  assessment  of  the 
sufficiency  and  appropriateness  of  computer-processed  information  includes 
considerations  regarding  the  completeness  and  accuracy  of  the  data  for  the 
intended  purposes.  GAGAS  7.14  (2011  revision]  states  that  in  the  audit  report, 
auditors  should  present  sufficient,  appropriate  evidence  to  support  the  findings 
and  conclusions  in  relation  to  the  audit  objectives.  The  QCAP  states  data 
reliability  refers  to  the  accuracy  and  completeness  of  computer-processed  data, 
given  the  intended  purposes  for  use.  Auditors  should  assess  the  sufficiency  and 
appropriateness  of  computer-processed  information. 

For  the  Audit  of  DLA  Disposition  Services  Contingency  Operations  in  Afghanistan, 
Report  No.  DAO-12-07,  the  auditors  used  property  receipt  transaction  data 
that  was  generated  from  a  computer  system,  MIDAS,  to  determine  whether  the 
audited  entity  had  sufficient  policies  and  controls  in  place  to  accomplish  its 
mission.  The  auditors  determined  they  did  not  have  to  assess  the  reliability  of  the 
computer-generated  data  because  they  reviewed  source  documentation  maintained 
at  the  sites  to  develop  the  related  audit  conclusions.  Based  on  their  analysis,  the 
auditors  identified  two  types  of  discrepancies  and  developed  one  recommendation. 

For  the  Audit  of  Real  Property  Additions,  Disposals  and  Construction-in-Progress, 
Report  No.  DAF-12-15,  auditors  used  data  and  reports  generated  from  a  computer 
system,  EBS,  and  did  not  assess  the  reliability  of  the  data.  The  auditors  stated 
in  the  report  that  they  assumed  the  information  generated  from  the  system 
was  reliable.  Based  on  their  analysis,  the  auditors  developed  three  (of  the  nine] 
recommendations  relating  to  real  property  and  real  property  financial  data 
generated  from  EBS.  In  March  2014,  a  DLA  OIG  internal  quality  assurance  review 
also  determined  the  audit  work  was  deficient  because  there  was  insufficient 
and  inappropriate  evidence  to  support  the  reported  findings,  conclusions,  and 
recommendations.  The  DLA  OIG  audit  organization  rescinded  the  audit  report 
because  of  these  findings. 
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Recommendations,  Management  Comments,  and 
Our  Response 

Recommendation  2 

We  recommend  the  Inspector  General,  DLA,  take  additional  steps  to  ensure 
the  audit  organization  complies  with  GAGAS  and  the  QCAP.  The  quality 
control  review  results  showed  that  the  audit  organization  needs  to  take 
additional  steps  because  the  current  policy  and  procedures  do  not  appear 
to  be  enough  to  consistently  achieve  a  reasonable  level  of  compliance. 
Additional  steps  should  include: 

•  Provide  training  to  the  staff  to  improve  the  audit  organization's 
understanding  and  knowledge  of  the  following  GAGAS  standards: 
professional  judgment,  supervision,  and  audit  evidence  and 
documentation  (accessing  the  reliability  of  computer-generated  data). 

•  Establish  a  6-month  plan  identifying  high-risk  areas  to  review  for 
compliance  with  internal  quality  control  policies  and  procedures 
and  GAGAS. 

DLA  Comments: 

The  Inspector  General,  DLA  concurred.  Additional  training  will  be  provided  to 
auditors-in-charge  in  the  last  week  of  January  2015  and  training  will  be  provided  to 
the  remaining  auditors  by  June  2015.  Training  will  include  guidance  on  conducting 
audits  to  ensure  conformity  with  generally  accepted  government  auditing 
standards  (GAGAS)  and  the  DLA  QCAP. 

After  completion  of  the  semi-annual  internal  quality  assurance  reviews,  audit 
leadership  will  discuss  the  results  of  high-risk  areas  identified,  with  emphasis 
on  the  importance  of  compliance  with  GAGAS  and  the  DLA  QCAP  during  the 
performance  and  review  of  future  audit  projects. 

Our  Response: 

DLA  comments  were  responsive  to  the  recommendation.  No  additional  comments 
are  needed. 
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Appendix  C 

Other  Findings  That  Warrant  Disclosure 

The  DLA  OIG  audit  organization's  performance  during  the  audits  reviewed  showed 
evidence  of  noncompliance  in  three  additional  GAGAS  areas  pertaining  to  audit 
evidence  and  documentation,  reporting,  and  quality  control.  The  following  three 
areas  of  noncompliance  did  not  affect  the  opinion  rendered,  but  due  to  their 
relative  importance  to  the  audit  organization's  system  of  quality  control,  they 
warranted  disclosure. 

Audit  Evidence  and  Documentation 

•  For  one  audit,  auditors  did  not  prepare  audit  documentation  in  sufficient 
detail  and  the  documentation  was  in  conflict  with  other  documentation 
within  the  same  project  and  the  audit  report. 

Reporting 

•  For  five  audits,  the  DLA  OIG  audit  organization  included  a  modified  GAGAS 
compliance  statement  in  its  audit  reports,  but  did  not  document  the 
assessment  of  the  GAGAS  noncompliance  to  the  audit  objectives  along  with 
its  reasons  for  not  complying  with  the  requirements. 

•  For  two  audits,  audit  reports  did  not  discuss  sample  designs  and  state 
why  the  designs  were  chosen,  including  whether  the  results  can  be 
projected  to  the  intended  population, 

•  For  two  audits,  auditors  did  not  develop  recommendations  that 
flowed  logically  from  the  findings  and  conclusions  and/or  developed 
recommendations  that  were  not  directed  at  resolving  the  causes  of  the 
identified  findings  and  conclusions, 

•  For  one  audit,  auditors  did  not  develop  recommended  actions  to  correct  a 
deficiency  identified  during  the  audit  when  the  potential  for  improvement 
in  programs,  operations,  and  performance  was  substantiated  by  the 
reported  findings  and  conclusions,  and 

•  For  one  audit,  auditors  did  not  evaluate  the  validity  of  the  audited 
entity's  comments  when  the  comments  were  in  conflict  with  the  findings, 
conclusions,  and  recommendations  in  the  draft  report. 

Quality  Control 

•  For  three  audits,  auditors  did  not  comply  with  independent  reference 
review  policies  and  procedures  and 

•  For  two  audits,  auditors  did  not  comply  with  Quality  Control 
Checklists'  procedures. 
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Audit  Evidence  and  Documentation 

Auditors  Did  Not  Prepare  Documentation  in  Sufficient  Detail 

For  one  of  the  audits  reviewed,  extensive  verbal  explanations  were  required 
from  the  DLA  OIG  to  enable  the  DoD  OIG  review  team  to  understand  the  work 
performed  and  the  conclusions  reached.  Particularly,  the  DoD  OIG  review  team 
had  to  inquire  as  to  why  summary  working  papers,  the  supporting  documentation 
for  the  summary  working  papers,  and  in  some  instances  the  audit  report, 
contained  conflicting  results.  GAGAS  7.77  (2007  revision]  states  that  auditors 
must  prepare  audit  documentation  related  to  planning,  conducting,  and  reporting 
for  each  audit.  Auditors  should  prepare  audit  documentation  in  sufficient  detail 
to  enable  an  experienced  auditor,  having  no  previous  connection  to  the  audit,  to 
understand  from  the  audit  documentation  the  nature,  timing,  extent,  and  results 
of  audit  procedures  performed.  The  QCAP  states  auditors  must  prepare  audit 
documentation  for  each  audit  in  sufficient  detail  to  provide  a  clear  understanding 
of  the  work  performed  (including  the  nature,  timing,  extent,  and  results  of  audit 
procedures  performed],  and  the  conclusions  reached. 

For  the  Audit  of  the  SRM  Program-Europe,  the  auditors  performed  testing 
throughout  the  audit  to  achieve  the  audit  objective.  For  two  of  the  four  types  of 
tests  the  auditors  performed,  the  summary  working  papers,  spreadsheets,  and/or 
the  audit  report  contained  conflicting  results.  During  discussions  with  DLA  OIG 
audit  staff,  they  admitted  that  the  audit  documentation  was  confusing  and  difficult 
to  follow.  We  determined  the  inconsistencies  did  not  significantly  affect  the  audit 
results.  Specifically,  we  found: 

•  For  three  sample  projects  tested,  the  summary  working  paper  stated 
that  two  of  the  sample  projects  were  outside  of  the  audit  scope,  thus,  one 
sample  item  remained.  The  result  of  the  testing  for  the  one  remaining 
sample  project  was  not  included  in  the  summary  working  paper;  we  could 
not  determine  whether  an  exception  was  noted  by  the  audit  team.  The 
supporting  spreadsheet  for  the  summary  working  paper  identified  the 
three  sample  projects,  with  no  exceptions. 

•  A  spreadsheet  identified  two  sample  projects  with  exceptions.  This 

is  inconsistent  with  the  audit  report,  which  stated  there  was  only  one 
sample  project  with  an  exception. 

•  There  was  a  discrepancy  for  the  total  exceptions  noted  in  the  audit  report 
versus  what  was  stated  in  the  summary  working  paper.  The  exceptions 
noted  were  for  missing  technical  documentation.  The  audit  report  stated 
there  were  three  exceptions,  while  the  summary  working  paper  noted 
nine  exceptions. 
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Also,  the  audit  report  stated  the  audit  was  initiated  because  management  of  the 
audited  entity  expressed  concerns  with  four  specific  SRM  projects.  However, 
in  the  audit  documentation,  it  was  stated  management  expressed  concern  with 
six  projects.  DLA  OIG  auditors  were  unsure  why  the  discrepancy  occurred.  They 
stated  maybe  the  working  paper  was  not  updated  after  discussions  with  the 
audited  entity. 

Reporting 

Usage  of  a  Modified  GAGAS  Compliance  Statement  in 
Audit  Reports 

Audit  reports  issued  by  the  DLA  OIG  audit  organization  for  the  period  under  review 
included  a  modified  GAGAS  compliance  statement.  The  DLA  OIG  audit  organization 
included  the  compliance  statement  in  their  audit  reports,  but  did  not  always 
perform  all  the  necessary  procedures  required  by  GAGAS  and  the  QCAP  when  doing 
so.  Specifically,  when  auditors  did  not  comply  with  applicable  GAGAS  requirements, 
they  did  not  document  the  assessment  of  the  noncompliance  to  the  audit  objective 
along  with  their  reasons  for  not  following  the  requirements.  We  determined  that 
the  DLA  OIG  documented  their  assessment  of  the  organizational  impairments, 
along  with  their  reasons  for  not  following  GAGAS  requirements  for  only  one 
project  (DLA  Implementation  of  the  Federal  Information  Security  Management 
Act  (FISMA]  Reporting  Process,  DoD  Information  Assurance  Certification  and 
Accreditation  Process  (DIACAP],  and  Selected  Information  Assurance  Controls; 
Report  No.  DAO  10-19], 

We  noted  the  following  modified  GAGAS  compliance  statement  in  the  six  audit 
reports  we  reviewed: 

We  conducted  this  performance  audit  in  accordance  with 
generally  accepted  government  auditing  standards  issued  by  the 
Government  Accountability  Office  except  for  the  standard  related 
to  organizational  independence.  This  organizational  impairment 
resulted  from  the  DLA  Office  of  the  Inspector  General  [OIG]  Audit 
Division  (formally  DLA  Accountability  Office  Audit  Division] 
not  being  accountable  to  the  head  or  deputy  head  of  DLA,  and 
conducting  non  audit  services  related  to  Office  of  Management  and 
Budget  Circular  A-123,  Appendix  A,  Management’s  Responsibility 
for  Internal  Control.2  To  correct  this,  we  have  established  policies 
and  procedures  to  provide  reasonable  assurance  of  conforming  to 
applicable  professional  standards.  However,  the  impairment  had  no 
effect  on  the  quality  of  this  report,  as  the  standards  require  that  we 


2  The  organizational  impairments  were  identified  by  the  DoD  OIG  as  significant  deficiencies  during  the  DLA  audit 
organization's  quality  control  review  for  the  period  ended  May  31,  2010  (DoD  IG  Report  No.  D-2011-6-005, 
March  16,  2011). 
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plan  and  conduct  the  audit  to  obtain  sufficient,  appropriate  evidence 
to  provide  a  reasonable  basis  for  our  findings  and  conclusions  based 
on  our  objectives.  We  believe  that  the  evidence  obtained  provides  a 
reasonable  basis  for  our  findings  and  conclusions. 

GAGAS  1.13  (2007  revision]  and  2.25  (2011  revision]  state: 

When  auditors  do  not  comply  with  applicable  requirement^],  they 
should  (1]  assess  the  significance  of  the  noncompliance  to  the  audit 
objectives,  (2]  document  the  assessment,  along  with  their  reasons 
for  not  following  the  requirement^],  and  (3]  determine  the  type 
of  GAGAS  compliance  statement.  The  auditors’  determination  will 
depend  on  the  significance  of  the  requirements  not  followed  in 
relation  to  the  audit  objective  (2007  revision]  and  is  a  matter  of 
professional  judgment,  which  is  affected  by  the  significance  of 
the  requirement^]  not  followed  in  relation  to  the  audit  objectives 
(2011  revision]. 

In  March  2011,  the  DLA  OIG  Quality  Assurance  Division  sent  an  e-mail  to  the 
audit  mangers  informing  them  that  when  using  a  modified  GAGAS  statement,  "if 
the  intent  of  the  GAGAS  requirement  cannot  be  met  through  other  means;  the 
auditor  must  assess  and  document  the  significance  of  the  requirement^]  not 
followed  in  relation  to  the  audit  objectives,  and  determine  the  type  of  GAGAS 
compliance  statement."  This  guidance  was  included  in  the  versions  of  the  QCAP 
that  we  reviewed. 

In  April  2014,  during  discussions  with  DLA  OIG  audit  management  regarding  the 
usage  of  the  modified  GAGAS  statement  in  the  audit  reports,  audit  management 
stated  they  included  the  statement  in  an  attempt  to  be  transparent  to  the  users  of 
their  audit  reports. 

Audit  Reports  Did  Not  Discuss  Sample  Designs  Chosen 

For  two  of  the  six  projects  reviewed,  the  audit  reports  did  not  discuss  the  sample 
designs  and  state  why  the  designs  were  chosen,  including  whether  the  results  could 
be  projected  to  the  intended  population. 

GAGAS  8.13  (2007  revision]  and  7.13  (2011  revision]  state  that  in  reporting 
audit  methodology,  when  sampling  significantly  supports  the  auditors'  findings, 
conclusions,  or  recommendations,  auditors  should  describe  the  sample  design  and 
state  why  the  design  was  chosen,  including  whether  the  results  can  be  projected  to 
the  intended  population.  The  QCAP  states  that  if  the  report  relies  on  a  sample,  a 
description  of  the  methodology  used  to  select  the  sample  must  be  contained  in  the 
scope  and  methodology  section. 
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For  the  Audit  of  DLA  Disposition  Services  Contingency  Operations  in  Afghanistan, 
the  audit  report  did  not  mention  that  out  of  the  141  sample  transactions  selected 
for  testing,  6  transactions  were  judgmentally  selected  (the  remaining  transactions 
were  randomly  selected].  Also,  for  this  project,  the  audit  report  did  not  include 
complete  results  for  the  141  sample  transactions  tested.  The  results  were 
incomplete  because  the  results  were  not  projected  to  the  intended  population, 
and  of  the  141  sample  transactions,  there  was  only  a  discussion  for  76  sample 
transactions.  The  audit  report  did  not  discuss  the  testing  results  for  the  remaining 
65;  it  was  not  clear  if  the  remaining  65  sample  transactions  were  tested  at  all. 

For  the  Audit  of  the  SRM  Program-Europe,  the  audit  report  did  not  describe  the 
sample  designs  for  three  sets  of  samples  the  auditors  used  to  address  the  audit 
objective.  After  the  DoD  OIG  review  team  inquired  about  the  sampling  methods 
used,  DLA  OIG  audit  personnel  stated  that  the  sample  items  for  each  of  the  three 
sets  were  judgmentally  selected. 

Recommendations  Did  Not  Flow  Logically  from  the  Findings 
and  Conclusions 

For  two  of  the  six  projects  reviewed,  the  audit  reports  contained  recommendations 
that  did  not  flow  logically  from  the  findings  and  conclusions.  GAGAS  8.28 
(2007  revision]  and  7.28  (2011  revision]  state  that  auditors  should  make 
recommendations  that  flow  logically  from  the  findings  and  conclusions  and  are 
directed  at  resolving  the  cause  of  identified  deficiencies  and  findings.  The  QCAP 
states  the  audit  report  documents  and  communicates  the  deficiencies  needing 
action,  recommends  the  needed  corrective  action,  and  identifies  who  should  take 
the  action.  The  QCAP  also  states  recommendations  are  most  effective  when  they 
are  specific  and  practical. 

For  the  Audit  of  Real  Property  Additions,  Disposals,  and  Construction-in-Progress, 
Report  No.  DAF-12-15,  six  of  the  nine  recommendations  in  the  audit  report  did 
not  flow  logically  from  the  findings  and  conclusions  because  the  recommendation 
either  included  corrective  action  for  individuals  that  were  not  involved  in  the 
program  and  operations  needing  improvement  or  were  not  directed  at  resolving 
the  cause  of  the  identified  deficiencies/problems.  For  example,  one  of  the 
recommendations  included  corrective  action  for  real  property  officers  even  though 
the  officers  were  not  involved  in  construction  processes  that  were  reviewed  by  the 
DLA  OIG. 

Also  for  this  audit,  three  of  the  nine  recommendations  in  the  audit  report  were 
related  to  real  property  and  real  property  financial  data  generated  from  an 
information  system  used  by  the  audited  entity.  Flowever,  the  auditors  developed 
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the  recommendations  even  though  they  lacked  an  understanding  of  the  information 
system  and  did  not  assess  the  reliability  of  the  computer-processed  data  because 
they  assumed  it  was  accurate. 

For  the  Audit  of  the  SRM  Program-Europe,  one  of  the  six  recommendations 
contained  in  the  audit  report  did  not  flow  logically  from  the  DLA  OIG  auditors' 
findings  and  conclusions,  and  was  not  specific  as  to  how  it  will  improve  programs 
and  operations.  The  DLA  OIG  found  that  the  audited  entity  had  not  consistently 
applied  four  key  programmatic  and  budget  level  approval  controls  for  the  projects 
the  DLA  OIG  reviewed.  The  DLA  OIG's  recommendation  to  the  audited  entity  for 
this  finding  was:  Identify,  perform,  and  document  key  internal  controls  related  to 
technical,  programmatic,  and  funding  reviews  of  SRM  projects. 

The  recommendation  did  not  flow  logically  because  the  DLA  OIG  found  that  the 
audited  entity  did  apply/perform  the  key  internal  controls;  just  not  on  a  consistent 
basis,  which  indicates  the  audited  entity  was  aware  of  and  had  identified  the  key 
internal  controls  that  were  in  place.  Also,  the  recommendation  was  not  specific 
as  to  how  the  recommended  actions  would  improve  programs  and  operations. 

The  recommendation  did  not  define  how  the  suggested  actions  would  solve  the 
problems  detected,  eliminate  the  issue,  or  mitigate  the  risks  involved. 

No  Recommended  Action  to  Correct  Deficiency  Identified 
During  an  Audit 

For  one  of  six  projects  reviewed,  the  DLA  OIG  did  not  recommend  actions  to 
correct  a  deficiency  identified  during  the  audit  and  to  improve  programs  and 
operations  when  the  potential  for  improvement  in  programs,  operations,  and 
performance  was  substantiated  by  the  reported  findings  and  conclusions. 

GAGAS  8.28  (2007  revision]  states  auditors  should  recommend  actions  to  correct 
problems  identified  during  the  audit  and  to  improve  programs  and  operations 
when  the  potential  for  improvement  in  programs,  operations,  and  performance  is 
substantiated  by  the  reported  findings  and  conclusions.  The  QCAP  states  the  audit 
report  documents  and  communicates  the  deficiencies  needing  action,  recommends 
the  needed  corrective  action,  and  identifies  who  should  take  the  action. 

For  the  Audit  of  the  SRM  Program-Europe,  the  DLA  OIG  did  not  develop  a 
recommendation  for  corrective  action  when  they  determined  the  SRM  program 
lacked  training  for  all  parties  involved  in  the  program,  which  could  lead  to  the 
misuse  of  SRM  funds.  When  the  DoD  OIG  review  team  inquired  as  to  why  there 
was  no  recommendation,  DLA  OIG  audit  staff  members  stated  they  believed  the  six 
recommendations  that  were  developed  captured  the  training  aspect. 
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We  disagree  with  the  DLA  OIG's  assessment  that  the  six  recommendations  that 
were  developed  addressed  the  fact  that  there  was  a  lack  of  training  because 
none  of  the  recommendations  mentioned  training.  In  addition,  the  DLA  OIG 
only  recommended  corrective  actions  pertaining  to  internal  controls,  and  for 
implementing  system  enhancements  and  additional  monitoring  and  reconciliation 
processes  and  procedures. 

Validity  of  the  Audited  Entity's  Comments  Not  Evaluated 

For  one  of  the  six  projects  reviewed,  the  audited  entity's  comments  were  in 
conflict  with  the  findings  and  conclusions  in  the  draft  report,  and  the  DLA  OIG 
did  not  evaluate  the  validity  of  the  comments.  GAGAS  8.36  (2007  revision]  states 
that  when  the  audited  entity's  comments  are  inconsistent  or  in  conflict  with 
the  findings,  conclusions,  or  recommendations  in  the  draft  report,  the  auditors 
should  evaluate  the  validity  of  the  audited  entity's  comments.  If  the  auditors 
disagree  with  the  comments,  they  should  explain  in  the  report  their  reasons  for 
disagreement.  Conversely,  the  auditors  should  modify  their  report  as  necessary  if 
they  find  the  comments  valid  and  supported  with  sufficient,  appropriate  evidence. 
The  QCAP  states  that  audit  reports  must  briefly  summarize  management  comments 
and  include  an  evaluation  of  these  comments  in  the  body  of  the  audit  report. 

For  one  of  the  recommendations  in  the  draft  report  for  the  Audit  of  the  SRM 
Program-Europe,  the  audited  entity  concurred  with  comments.  Even  though  the 
audited  entity  concurred  with  the  recommendation,  they  believed  the  DLA  OIG's 
evaluated  projects  were  judgmentally  selected  and  not  a  representative  random 
sample.  From  research  into  the  project  files  and  existing  documentation,  the 
auditors  believed  the  analysis  they  performed  for  review  and  approval  processes 
more  accurately  reflected  actual  occurrences  for  the  situations  than  those 
identified  by  the  DLA  OIG.  In  their  comments,  the  audited  entity  stated  they 
provided  documentation  to  the  DLA  OIG  audit  team  to  support  their  analysis. 

Table  C  identifies  the  differences  between  the  DLA  OIG  and  audit  entity's  findings 
and  conclusions.3 


3  The  exceptions  noted  by  the  DLA  OIG  and  the  audited  entity  were  based  on  the  review/testing  of  39  projects. 


DODIG-2015-054  |  19 


Appendixes 


Table  C.  Differences  Between  the  DLA  OIG  and  Audited  Entity’s  Findings  and  Conclusions 
for  Review  and  Approval  Processes 


DLA  OIG 
Exceptions 

Audited  Entity 
Exceptions 

DLA  OIG  Error 
Rate 

Audited  Entity 
Error  Rate 

Engineer  Technical 
Review 

23 

3 

59% 

7.7% 

Project  Manager 
Approval 

1 

0 

3% 

0% 

Threshold 

Approval 

8 

1 

21% 

2.6% 

Military 

Interdepartmental 
Purchase  Request 
Review  and 

Approval 

16 

0 

41% 

0% 

If  the  DLA  OIG  staff  disagreed  with  the  audited  entity's  analysis  as  shown  in 
Table  C,  they  did  not  explain  in  the  audit  report  their  reasons  for  disagreement. 
Also,  if  they  found  the  comments  valid  and  supported  with  sufficient,  appropriate 
evidence,  they  did  not  modify  their  report  as  necessary. 

OIG  Quality  Control  Policies  and  Procedures 

Independent  Reference  Review  Process  Not  Effective 

For  one  of  the  six  projects  reviewed,  the  independent  reference  review  (IRR] 
process  was  not  effective,  causing  the  audit  report  to  be  released  even  though  there 
was  a  lack  of  sufficient,  appropriate  evidence  to  support  the  reported  findings  and 
conclusions,  and  the  recommendations  did  not  flow  logically.  The  audit  report 
was  rescinded  during  this  review  after  the  DLA  OIG  Quality  Assurance  Division 
identified  deficiencies  that  should  have  been  noted  during  the  IRR  process.  Also, 
we  found  that  for  another  project,  incorrect  and  inadequate  references  were  used 
during  the  IRR  process  and  there  was  no  evidence  showing  that  proper  or  adequate 
references  were  ever  provided  to  the  person  conducting  the  IRR.  In  addition,  for  a 
third  audit  project,  a  table  that  provided  the  results  of  the  auditors'  analysis  was 
not  crossed-referenced  to  the  supporting  documentation. 

GAGAS  A8.02a  (2007  revision]  and  A7.02a  (2011  revision]  state  that  referencing  is 
a  process  in  which  an  experienced  auditor  who  is  independent  of  the  audit  checks 
that  statements  of  facts,  figures,  and  dates  are  correctly  reported,  that  the  findings 
are  adequately  supported  by  the  evidence  in  the  audit  documentation,  and  that 
the  conclusions  and  recommendations  flow  logically  from  the  evidence.  The  QCAP 
states  that  during  the  IRR  process,  the  person  conducting  the  review  verifies  the 
statements  of  facts,  figures,  and  dates  are  correctly  reported,  that  the  findings 
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are  adequately  supported  by  evidence  in  the  audit  documentation,  and  that  the 
conclusions  and  recommendations  flow  logically  from  the  evidence.  Also,  evidence 
must  be  accurate  to  assure  DLA  management  that  what  is  reported  is  credible 
and  reliable. 

For  the  Audit  of  Real  Property  Additions,  Disposals  and  Construction-in-Progress, 
Report  No.  DAF-12-15,  the  IRR  process  did  not  detect  that  the  findings  were 
not  adequately  supported  by  evidence  in  the  audit  documentation,  and  that  the 
conclusions  and  recommendations  did  not  flow  logically  from  the  evidence. 

The  audit  report  for  this  project  was  rescinded  only  after  the  DLA  OIG  Quality 
Assurance  Division  reviewed  the  audit  documentation  and  report  and  determined 
that  significant  issues  existed  that  required  immediate  attention.  Based  on  their 
review  of  the  audit  documentation,  the  Quality  Assurance  Division  believed  the 
audit  work  was  deficient  because  the  audit  team  did  not  evaluate  the  effectiveness 
of  information  systems  controls,  and  the  audit  report  contained  recommendations 
that  did  not  flow  logically  from  the  finding  and  conclusions,  and  were  not  directed 
at  resolving  the  root  causes  of  the  reported  findings. 

For  the  Audit  of  the  SRM  Program-Europe,  Report  No.  DLA  OIG  FY14-04,  we 
identified  instances  where  statements  in  the  audit  report  were  not  supported, 
totals  (for  example,  exceptions  noted  during  testing]  in  the  audit  report 
differentiated  from  the  totals  in  the  audit  documentation,  and  references  provided 
were  inadequate  and  incorrect.  For  the  references  that  were  inadequate  and 
incorrect,  DLA  OIG  audit  staff  was  adamant  that  the  reviewer  was  provided 
the  correct  references  by  a  member  of  the  audit  team  or  the  reviewer  was 
able  to  locate  the  appropriate  references  themselves.  However,  there  was  no 
documentation  to  substantiate  their  claims.  The  DoD  OIG  review  team  was  able  to 
locate  correct  references  after  reviewing  the  audit  documentation. 

For  the  Audit  of  DLA  Non-Energy  Physical  Process,  Report  DAF-12-05,  a  chart 
summarizing  the  auditors'  review  of  the  nonenergy  physical  inventory  processes 
at  the  seven  sites  the  DLA  OIG  visited  was  not  cross-referenced  to  the  supporting 
working  papers. 

The  individuals  who  conducted  the  IRR  for  these  two  projects  signed  the  IRR 
certifications  even  though  IRR  deficiencies  we  noted  existed.  Although  the  IRR 
deficiencies  identified  for  these  two  audit  projects  did  not  limit  the  reliability  of 
the  audit  reports,  this  quality  control  measure  was  compromised  because  without 
adequate  and  appropriate  references,  the  accuracy  and  reliability  of  information 
was  questionable. 
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Quality  Control  Checklists  for  Performance  Audits 

The  QCAP  states  that  to  ensure  each  performance  audit  has  been  performed  in 
accordance  with  standards,  the  AIC  and  audit  manager  must  complete  the  Quality 
Control  Checklist  for  Performance  Audits.  For  two  of  the  six  projects  reviewed,  the 
quality  control  checklists  that  were  prepared  were  incomplete  because  they  did  not 
include  required  approvals  for  the  AIC  and/or  audit  manager. 

For  the  Audit  of  DLA  Disposition  Services  Contingency  Operations  in  Afghanistan, 
the  checklist  did  not  contain  the  approval  of  the  audit  manager.  For  the  Audit 
of  Real  Property  Additions,  Disposals  and  Construction-in-Progress,  27  of  the 
46  questions  in  the  checklist  did  not  contain  the  approval  of  the  AIC. 

Also,  we  identified  four  audit  projects  that  had  sections  of  the  checklist  completed 
even  though  the  audit  documentation  and/or  report  did  not  comply  with  GAGAS 
and  the  QCAP. 

Recommendations,  Management  Comments,  and 
Our  Response 

Recommendation  3 

We  recommend  that  the  Deputy  Inspector  General  for  Auditing,  DLA,  update 
the  Quality  Control  Checklist  for  Performance  Audits  (Report  Writing  section) 
to  include  a  section  that  pertains  to  the  GAGAS  requirements  when  auditors 
do  not  comply  with  applicable  requirements  and  use  a  modified  GAGAS 
statement  in  audit  reports. 

DLA  Comments: 

The  Deputy  Inspector  General  for  Auditing,  DLA  concurred.  DLA  OIG  will  review 
and  update  the  DLA  OIG  QCAP  Checklist  for  Performance  Audits  to  include  a  section 
pertaining  to  compliance  with  GAGAS  reporting  requirements  and  ensure  that  the 
GAGAS  statement  used  in  the  report  complies  with  the  QCAP. 

Our  Response: 

DLA  comments  were  responsive  to  the  recommendation.  No  additional  comments 
are  needed. 
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Recommendation  4 

We  recommend  that  the  Director,  DLA,  remind  auditors  to  follow  QCAP 
guidance  pertaining  to  audit  evidence  and  documentation,  reporting, 
cross-referencing  processes,  and  completing  quality  control  checklists. 

DLA  Comments: 

The  Director,  DLA  concurred.  The  DLA  IG  will  ensure  the  DLA  Director  reminds 
auditors  to  follow  the  DLA  QCAP  guidance  pertaining  to  audit  evidence  and 
documentation,  reporting,  cross-referencing  processes,  and  completing  quality 
control  checklists. 

Our  Response: 

DLA  comments  were  responsive  to  the  recommendation.  No  additional  comments 
are  needed. 
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Appendix  D 

Summary  of  the  Results  of  Our  Interviews 

We  interviewed  20  DLA  OIG  audit  staff  and  managers  to  determine  their  knowledge 
of  DLA  OIG  audit  policies  and  procedures  and  GAGAS.  The  interviews  consisted  of 
questions  related  to  the  DLA  OIG  audit  policies  and  procedures  and  GAGAS.  Table  D 
contains  a  summary  of  the  results  of  the  responses  received. 


Table  D.  Summary  of  Responses  Received 


Areas  Pertaining  to  DLA  OIG  Audit  Division 
Policies  and  GAGAS  Standards 

Responses  to  Questions 

1.  Awareness  of  the  DLA  OIG  Audit 

Organization's  Policies  and  Procedures 

Staff  and  managers  were  aware  of  the  audit 
policies  and  procedures.  The  staff  and 
managers  felt  the  policies  and  procedures 
were  appropriately  designed;  however, 
several  DLA  OIG  auditors  we  interviewed 
felt  the  DLA  OIG  audit  organization's 
policies  and  procedures  needed  to  be 
better  tailored  to  the  DLA  OIG  and  reflect 
the  GAGAS  Conceptual  Framework  for 
Independence  * 

2.  Independence 

Staff  and  managers  indicated  that 
they  did  not  encounter  any  external  or 
organizational  independence  impairments 
when  performing  their  work. 

Staff  and  managers  stated  they  were  aware 
of  the  GAGAS  Conceptual  Framework  for 
Independence,  and  that  it  is  used  during  the 
planning  phase  of  their  audits. 

3.  Competence 

Staff  responses  indicated  that  the 
competency  requirement  was  fulfilled. 

4.  Quality  Control  and  Assurance 

Staff  and  managers  provided  examples 
that  indicated  they  had  an  extensive 
understanding  of  quality  control 
procedures. 

5.  Planning  (Key  Decisions) 

Staff  and  management  involved  with 
audit  planning  documented  key  planning 
decisions  and  communicated  with  the  client 
throughout  the  planning  phase. 

6.  Planning  (Risk) 

Staff  and  managers  stated  that  risk 
assessments  (audit  and  fraud)  are 
conducted  and  documented  for  each  audit. 

7.  Supervision 

All  staff  and  managers  stated  that  they 
received  or  provided  adequate  supervision. 
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Areas  Pertaining  to  DLA  OIG  Audit  Division 
Policies  and  GAGAS  Standards 

Responses  to  Questions 

8.  Audit  Documentation 

Staff  and  managers  provided  examples  of 
procedures  in  place  to  ensure  that  audit 
reports  are  properly  supported. 

9.  Evidence 

Staff  and  managers  provided  examples  of 
actions  taken  to  ensure  the  audit  report  is 
supported  by  the  audit  evidence. 

10.  Reporting  (Timeliness) 

Staff  and  managers  provided  examples 
of  procedures  in  place  to  ensure  that 
information  provided  in  reports  is  current 
and  relevant. 

*  We  reviewed  the  DLA  OIG's  policies  related  to  the  GAGAS  Conceptual  Framework  for 
Independence.  We  deemed  the  policies  to  be  appropriate. 
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Appendix  E 

Scope  and  Methodology 

We  reviewed  10  audit  projects,  which  included  6  completed  audits  and  4  terminated 
audits,  to  assess  the  adequacy  of  the  DLA  OIG  audit  organization's  compliance  with 
quality  control  policies,  procedures,  and  standards.  In  performing  our  review,  we 
considered  the  requirements  of  quality  control  standards  contained  in  the  July  2007 
and  December  2011  revisions  of  GAGAS  issued  by  the  Comptroller  General  of  the 
United  States.4  GAGAS  3.96  states  (2011  revision]: 

The  audit  organization  should  obtain  an  external  peer  review 
sufficient  in  scope  to  provide  a  reasonable  basis  for  determining 
whether,  for  the  period  under  review,  the  reviewed  audit 
organization’s  system  of  quality  control  was  suitably  designed 
and  whether  the  audit  organization  is  complying  with  its  quality 
control  in  order  to  provide  the  audit  organization  with  reasonable 
assurance  of  conforming  with  applicable  professional  standards. 

We  performed  this  review  from  September  2013  to  October  2014  in  accordance 
with  standards  and  guidelines  established  in  the  March  2009  (updated 
November  2012]  CIGIE  Guide  for  Conducting  External  Peer  Reviews  of  the  Audit 
Organizations  of  Federal  Offices  of  Inspector  General.  In  addition,  we  conducted 
this  quality  control  review  in  accordance  with  the  Council  of  the  Inspectors 
General  on  Integrity  and  Efficiency  (CIGIE]  Quality  Standards  for  Inspection  and 
Evaluation.  In  performing  this  review,  we  assessed,  reviewed,  and  evaluated  audit 
documentation  for  completed  and  terminated  audits;  interviewed  DLA  OIG  auditors; 
and  reviewed  DLA  OIG  audit  policies  and  procedures  that  were  published  on 
July  15,  2011,  and  then  revised  on  April  18,  2012. 

Initially,  we  judgmentally  selected  five  completed  audit  projects  from  a  universe 
of  eight  reports  issued  by  the  DLA  OIG  during  the  period  of  October  1,  2012,  to 
September  30,  2013.  In  March  2014,  after  the  DLA  OIG  rescinded  one  of  the  audit 
reports  included  in  the  initial  sample,  we  judgmentally  selected  one  additional 
audit  project  to  review.  The  additional  project  was  selected  from  the  universe 
of  six  reports  issued  by  the  DLA  OIG  during  the  period  of  October  2013  through 
March  2014.  In  selecting  the  audits  to  review,  we  worked  with  the  DLA  OIG  to 
establish  the  universe  of  reports  that  were  issued  during  the  review  period.  We 
then  selected  audits  that  were  more  recent  to  review  the  most  current  quality 
assurance  procedures  being  used. 


4  The  2011  revisions  of  GAGAS  apply  to  performance  audits  beginning  on  or  after  December  15,  2011.  Of  the  six 

completed  projects  (performance  audits)  we  reviewed,  three  began  prior  to  December  15,  2011,  and  three  began  after 
December  15,  2011. 
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Also,  we  reviewed  the  audit  documentation  for  all  the  audits  that  were  terminated 
during  the  review  period  to  determine  whether  DLA  OIG  auditing  staff  documented 
the  results  of  the  work  to  the  date  of  termination  and  why  the  audit  was 
terminated.  We  also  reviewed  the  method  used  to  communicate  the  reason  for 
terminating  the  audit  to  those  charged  with  governance  and  appropriate  officials  of 
the  audited  entity.  We  determined  the  audits  were  terminated  in  accordance  with 
the  DLA  OIG's  policies  and  procedures. 

The  following  tables  identify  the  specific  audit  projects  reviewed.  The  Type  of 
Review  column  contains  information  that  was  determined  by  the  report  GAGAS 
compliance  statement  and/or  the  type  of  review  described  in  the  final  report. 


E-l.  Completed  Audit  Projects 


Audit  Title 

Date  Audit  Was 
Announced 

Report  Number 
and  Issuance  Date 

Type  of  Review 

DLA  Transaction  Services 
Automatic  Addressing 

System  (DAAS) 

July  20,  2011 

DAI-11-08, 

April  8,  2013 

Performance 

Audit  of  the  SRM  Program  - 
Europe 

July  20,  2011 

DLA  OIG  FY14-04, 
December  5,  2013 

Performance 

DLA  OIG  DIACAP  FISMA 

Project 

July  28,  2010 

DAO-10-19, 
December  27,  2011 

Performance 

Real  Property  Additions, 
Disposals  and  Construction- 
in-Progress* 

February  13,  2012 

DAF-12-15, 

December  20,  2012 

Performance 

DLA  Non-Energy  Physical 
Inventory  Process 

February  13,  2012 

DAF-12-05, 

February  25,  2013 

Performance 

DLA  Disposition  Services 
Contingency  Operations  in 
Afghanistan 

February  16,  2012 

DAO-12-07,  January 
15,  2013 

Performance 

*  The  audit  report  for  this  project  was  rescinded  by  the  DLA  OIG  audit  organization  in 
March  2014. 
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E-2.  Terminated  Audits 


Audit  Title  and  Project  Code 

Date  Audit  Was 
Announced 

Date  Audit  Was 
Terminated 

Audit  of  the  Capital  Purchase  Program 
(Project  Code  DAO-10-24)1 

July  1,  2010 

May  30,  2013 

Audit  on  the  Distribution  Standard 
System  Financial  System  Audit 
(Project  Code  DAI-12-10) 

April  10,  2012 

November  2,  2012 

Audit  of  DLA's  Support  to  Hurricane 
Sandy  (Project  Code  DAO  -13-01) 

January  31,  2013 

February  28,  2013 

Audit  of  Performance  Based  Incentive 
Fees  (Project  Code  DAO-10-18)2 

April  2,  2010 

March  21,  2013 

1  Project  Code  DAO-10-24  was  terminated  due  to  the  significant  lapse  in  time  that  occurred 
since  initiating  the  audit  in  July  2010  and  because  of  the  age  of  the  data  included  in  the  scope  of 
the  audit. 


2  Project  Code  DAO-10-18  was  terminated  due  to  quality  issues  identified  during  DLA's 
management  review  process  and  the  reassignment  of  key  audit  personnel  to  positions  outside  of 
the  DLA  OIG  audit  organization. 

Our  review  would  not  necessarily  disclose  all  weaknesses  in  the  system  of  quality 
control  or  all  instances  of  noncompliance  because  we  based  our  review  on  selective 
tests.  There  are  inherent  limitations  in  considering  the  potential  effectiveness  of 
any  quality  control  system.  Departures  from  GAGAS  can  result  from  misunderstood 
instructions,  mistakes  in  judgment,  carelessness,  or  other  human  errors.  Projecting 
any  evaluation  of  a  quality  control  system  is  subject  to  the  risk  that  one  or  more 
procedures  may  become  inadequate  because  conditions  may  change  or  the  degree 
of  compliance  with  procedures  may  deteriorate. 
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Defense  Logistics  Agency 


DEFENSE  LOGISTICS  AGENCY 
HEADQUARTERS 
8725  JOHN  J.  KINGMAN  ROAD 
FORT  BELVOIR,  VIRGINIA  22060-6221 


DEC  0  8  20H 


MEMORANDUM  FOR  OFFICE  OF  THE  INSPECTOR  GENERAL,  AUDIT  POLICY  AND 
OVERSIGHT,  DEPARTMENT  OF  DEFENSE 

SUBJECT:  Response  to  Draft  Report,  “Quality  Control  Review  of  the  Defense  Logistics 
Agency  Audit  Organization  (Project  No.  D2013-DAPOIA-234.000) 


Attached  is  the  Defense  Logistics  Agency’s  (DLA)  response  to  the  subject  draft  report. 
We  appreciate  the  opportunity  to  review  and  comment  on  the  findings  and  recommendations. 


Vice  Director 

Attachment 
As  stated 
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Defense  Logistics  Agency  (cont'd) 


SUBJECT:  DLA  RESPONSE  TO  DRAFT  REPORT  “QUALITY  CONTROL  REVIEW  OF 
THE  DEFENSE  LOGISTICS  AGENCY  AUDIT  ORGANIZATION” 


In  response  to  the  DoD  IG  Quality  Control  Review  of  the  DLA  OIG  (Audit)  for  the  period  ended 
September  30, 2013,  we  have  concurred  with  and  described  our  implementation  methodology  for 
each  of  the  four  recommendations.  All  corrective  actions  will  be  completed  no  later  than  June 
2015.  Additionally,  the  DLA  OIG  will  begin  working  with  DoD  IG  to  schedule  our  peer  review 
for  the  period  October  1 , 20 13  to  September  30, 2016  so  that  it  is  completed  in  a  timely  manner 


Recommendation  1:  We  recommend  the  Inspector  General,  DLA,  update  the  Quality  Control 
and  Assurance  Procedures  (QCAP)  to  include  policies  and  procedures  that  explain  how  to  (1) 
evaluate  the  impact  of  previously  performed  non-audit  services  on  auditors’  independence  on  a 
prospective  or  current  engagement  and  (2)  address  any  threats  identified. 

DLA  Management  Comments:  Concur.  Additional  guidance  will  be  added  to  the  DLA 
Quality  Control  and  Assurance  Procedures  (QCAP)  to  evaluate  the  impact  of  previously 
performed  non-audit  services  on  auditors’  independence  on  a  prospective  or  current  engagement. 
If  significant  threats/risks  are  identified,  appropriate  mitigating  controls  will  be  addressed  and 
documented.  During  the  independence  review  conducted  on  each  project,  the  audit  team  will 
consider  the  impact  of  previously  performed  non-audit  services  on  auditors’  independence.  If 
significant  threats  are  identified,  appropriate  mitigating  controls  will  be  incorporated  into  the 
audit  plan.  ECD:  March  2015. 

Recommendation  2:  We  recommend  that  Inspector  General,  DLA,  take  additional  steps  to 
ensure  the  audit  organization  complies  with  GAGAS  and  the  QCAP.  The  quality  control  review 
results  showed  that  the  audit  organization  needs  to  take  additional  steps  because  the  current 
policy  and  procedures  do  not  appear  to  be  enough  to  consistently  achieve  a  reasonable  level  of 
compliance.  Additional  steps  should  include: 

•  Provide  training  to  the  staff  to  improve  the  audit  organization’s  understanding  and 
knowledge  of  the  following  GAGAS  standards:  professional  judgment,  supervision,  and 
audit  evidence  and  documentation  (accessing  the  reliability  of  computer-generated  data). 

•  Establish  a  6-month  plan  identifying  high-risk  areas  to  review  for  compliance  with 
internal  quality  control  policies  and  procedures  and  GAGAS. 

DLA  Management  Comments:  Concur.  Additional  training  will  be  provided  to  auditors-in- 
chargc  in  the  last  week  of  J anuary  20 1 5  in  the  internally  developed  school,  with  the  remaining 
auditors  attended  by  June  2015.  The  course  will  provide  training  on  how  audits  should  be 
conducted  to  ensure  conformity  with  generally  accepted  government  auditing  standards 
(GAGAS)  and  the  DLA  QCAP  as  well  as  standardizing  operations  between  teams.  The  course 
will  walk  the  auditors  through  the  entire  audit  cycle  and  will  include  exercising  and  documenting 
professional  judgment,  documenting  supervision  of  auditors,  and  assessing  the  reliability  of 
computer-generated  data,  independence,  and  internal  controls.  Subsequent  to  the  completion  of 
the  semi-annual  internal  quality  assurance  reviews,  audit  leadership  will  discuss  the  results  of 
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Defense  Logistics  Agency  (cont'd) 


high-risk  areas  identified  and  emphasize  the  importance  of  compliance  with  GAGAS  and  the 
DLA  QCAP  during  the  performance  and  review  of  future  audit  projects.  ECD:  June  2015. 

Recommendation  3:  We  recommend  that  the  Deputy  Inspector  General  for  Auditing,  DLA, 
update  the  Quality  Control  Checklist  for  Performance  Audits  (Report  Writing  section)  to  include 
a  section  that  pertains  to  the  GAGAS  requirements  when  auditors  do  not  comply  with  applicable 
requirements  and  use  a  modified  GAGAS  statement  in  audit  reports. 

DLA  Management  Comments:  Concur.  DLA  OIG  will  review  and  update  the  DLA  OIG 
QCAP  Checklist  for  Performance  Audits  to  include  a  section  that  pertains  to  compliance  with 
GAGAS  reporting  requirements  and  ensuring  that  the  GAGAS  statement  used  in  the  report 
complies  with  QCAP  section4400.  ECD:  January  2015. 

Recommendation  4:  We  recommend  that  the  Director,  DLA,  remind  auditors  to  follow  QCAP 
guidance  pertaining  lo  audit  evidence  and  documentation,  reporting,  cross-referencing  processes, 
and  completing  quality  control  checklists. 

DLA  Management  Comments:  Concur.  The  DLA  IG  will  ensure  the  DLA  Director  reminds 
auditors  to  follow  the  DLA  QCAP  guidance  pertaining  to  audit  evidence  and  documentation, 
reporting,  cross-referencing  processes,  and  completing  quality  control  checklists.  ECD: 
December  2014. 
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Acronyms  and  Abbreviations 

AIC  Auditor  in  Charge 

CIGIE  Council  of  Inspectors  General  on  Integrity  and  Efficiency 
CIP  Construction-in-Progress 
DAAS  Defense  Automatic  Addressing  System 
DFAMS  Defense  Fuel  Automated  Management  System 
DLA  Defense  Logistics  Agency 
EBS  Enterprise  Business  System 
FISMA  Federal  Information  Security  Management  Act 
GAAP  Generally  Accepted  Accounting  Principles 
GAGAS  Generally  Accepted  Government  Auditing  Standards 
GAO  Government  Accountability  Office 
IRR  Independent  Reference  Review 
MIDAS  Management  Information  Distribution  and  Access  System 
OIG  Office  of  the  Inspector  General 
QCAP  Quality  Control  and  Assurance  Procedures 
SRM  Sustainment,  Restoration,  and  Modernization 
SRM-E  Sustainment,  Restoration,  and  Modernization-Energy 
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Whistleblower  Protection 

U.S.  Department  of  Defense 


The  Whistleblower  Protection  Enhancement  Act  of  2012  requires 
the  Inspector  General  to  designate  a  Whistleblower  Protection 
Ombudsman  to  educate  agency  employees  about  prohibitions 
on  retaliation,  and  rights  and  remedies  against  retaliation  for 
protected  disclosures.  The  designated  ombudsman  is  the  DoD  Hotline 
Director.  For  more  information  on  your  rights  and  remedies  against 
retaliation,  visit  www.dodig.mil/programs/whistleblower. 


For  more  information  about  DoD  IG 
reports  or  activities,  please  contact  us: 

Congressional  Liaison 

congressional@dodig.mil;  703.604.8324 

Media  Contact 

public.affairs@dodig.mil;  703.604.8324 

Monthly  Update 

dodigconnect-request@listserve.com 

Reports  Mailing  List 

dodig_report@listserve.com 

Twitter 

twitter.com/DoD_IG 

DoD  Hotline 

dodig.mil/hotline 
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